mofh Vulnerable to Improper Restriction of XML External Entity Reference
Discription

The `xml.etree.ElementTree` module that mofh used up until version `1.0.1` implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:

– [Billion Laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack): It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
– [Quadratic blowup attack](https://www.acunetix.com/vulnerabilities/web/xml-quadratic-blowup-denial-of-service-attack/): It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.

The Problem has been patched starting from version `1.0.1` by utilising the `defusedxml` package instead of `xml.etree.ElementTree`.

### Workarounds
For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the `api_url` argument, or MyOwnFreeHost’s API must be hacked. So, if the user did not use a custom API URL they _should_ be fine, however, upgrading is still advised.

Another workaround could be to call `defusedxml.defuse_stdlib()` before making any requests using the client.Read More

Back to Main

Subscribe for the latest news: